Univention Bugzilla – Bug 38413
libitalc is constantly crashing (segfault) in test environments if debuglevel was 2
Last modified: 2016-01-26 14:41:08 CET
In several UCS@school test environments numerous segfaults of the UCS@school computerroom module were noticed: root@slave81:~# dmesg | grep segfault | tail -1 [125430.710625] univention-mana[24783]: segfault at 0 ip 00007f86125ef16b sp 00007f85ef8107d8 error 6 in libc-2.13.so[7f8612566000+182000] root@slave81:~# dmesg | grep univention-mana | grep -c segfault 39 root@slave81:~# When raising the debug level of the UMC modules to 4, the segfault vanished but reappeared when lowering the debug level back to 2. After enabling core dumps in the UMC server and UMC modules, I were able to catch a core dump of the UCS@school computerroom module that gave interesting information: See bug 37280 on how to enable core dumps for UMC components. I added "ulimit -c unlimited" to /etc/init.d/univention-management-console-server and checked the limits of the UMC module after restarting the UMC server and opening the first UMC module (limit should be "unlimited"): root@slave81:~# pgrep -f univention-management-console-module 24205 root@slave81:~# cat /proc/24205/limits | grep core Max core file size unlimited unlimited bytes root@slave81:~# Next I tried to trigger the segfault. The core file of the module process could be found as "/core". # ucr set repository/online/unmaintained=yes # univention-install libc6-dbg italc-dbg gdb # gdb /usr/bin/python2.7 core […] (gdb) bt #0 __memcpy_sse2 () at ../sysdeps/x86_64/multiarch/../memcpy.S:267 #1 0x00007f85f0a88fb5 in CopyRectangle (buffer=<optimized out>, x=<optimized out>, y=<optimized out>, w=800, h=1, client=<error reading variable: Unhandled dwarf expression opcode 0xfa>, client=<error reading variable: Unhandled dwarf expression opcode 0xfa>, client=<error reading variable: Unhandled dwarf expression opcode 0xfa>) at /var/build/temp/tmp.WeqkYO8HNb/pbuilder/italc-2.0.22/ica/x11/libvncclient/rfbproto.c:172 #2 0x00007f85f0a5f1ee in DecompressJpegRect32 (client=client@entry=0x2ff5e00, x=x@entry=0, y=y@entry=0, w=w@entry=800, h=h@entry=81) at /var/build/temp/tmp.WeqkYO8HNb/pbuilder/italc-2.0.22/ica/x11/libvncclient/tight.c:580 #3 0x00007f85f0a5f3ca in HandleTight32 (client=client@entry=0x2ff5e00, rx=0, ry=0, rw=800, rh=81) at /var/build/temp/tmp.WeqkYO8HNb/pbuilder/italc-2.0.22/ica/x11/libvncclient/tight.c:146 #4 0x00007f85f0a90d65 in HandleRFBServerMessage (client=0x2ff5e00) at /var/build/temp/tmp.WeqkYO8HNb/pbuilder/italc-2.0.22/ica/x11/libvncclient/rfbproto.c:2101 #5 0x00007f85f0a647a2 in ItalcVncConnection::doConnection (this=this@entry=0x2ba5fa0) at /var/build/temp/tmp.WeqkYO8HNb/pbuilder/italc-2.0.22/lib/src/ItalcVncConnection.cpp:644 #6 0x00007f85f0a648c8 in ItalcVncConnection::run (this=0x2ba5fa0) at /var/build/temp/tmp.WeqkYO8HNb/pbuilder/italc-2.0.22/lib/src/ItalcVncConnection.cpp:524 #7 0x00007f861017cd0b in ?? () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4 #8 0x00007f8613199b50 in start_thread (arg=<optimized out>) at pthread_create.c:304 #9 0x00007f861264270d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112 #10 0x0000000000000000 in ?? () (gdb) up #1 0x00007f85f0a88fb5 in CopyRectangle (buffer=<optimized out>, x=<optimized out>, y=<optimized out>, w=800, h=1, client=<error reading variable: Unhandled dwarf expression opcode 0xfa>, client=<error reading variable: Unhandled dwarf expression opcode 0xfa>, client=<error reading variable: Unhandled dwarf expression opcode 0xfa>) at /var/build/temp/tmp.WeqkYO8HNb/pbuilder/italc-2.0.22/ica/x11/libvncclient/rfbproto.c:172 172 case 32: COPY_RECT(32); break; (gdb) print client->frameBuffer Unhandled dwarf expression opcode 0xfa (gdb) up #2 0x00007f85f0a5f1ee in DecompressJpegRect32 (client=client@entry=0x2ff5e00, x=x@entry=0, y=y@entry=0, w=w@entry=800, h=h@entry=81) at /var/build/temp/tmp.WeqkYO8HNb/pbuilder/italc-2.0.22/ica/x11/libvncclient/tight.c:580 580 CopyRectangle(client, (uint8_t *)&client->buffer[RFB_BUFFER_SIZE / 2], x, y + dy, w, 1); (gdb) print client->frameBuffer $1 = (uint8_t *) 0x0 (gdb) It looks like it is not assured that the frameBuffer is already allocated when handling the first messages comming from the iTALC Windows client.
A comparison of the latest iTALC code (https://github.com/iTALC/italc) with our iTALC code base showed that a null pointer check is missing in the UCS@school code. A first test with a patched libitalc.so revealed another missing null pointer check: (gdb) bt #0 FillRectangle (client=0x32dca00, x=229, y=<optimized out>, w=<optimized out>, h=<optimized out>, colour=14467239) at /var/build/temp/tmp.waiC6Hcw5s/pbuilder/italc-2.0.22/ica/x11/libvncclient/rfbproto.c:151 #1 0x00007f058a33a305 in HandleTight32 (client=client@entry=0x32dca00, rx=229, ry=567, rw=309, rh=33) at /var/build/temp/tmp.waiC6Hcw5s/pbuilder/italc-2.0.22/ica/x11/libvncclient/tight.c:134 #2 0x00007f058a36bc35 in HandleRFBServerMessage (client=0x32dca00) at /var/build/temp/tmp.waiC6Hcw5s/pbuilder/italc-2.0.22/ica/x11/libvncclient/rfbproto.c:2105 #3 0x00007f058a33f6d2 in ItalcVncConnection::doConnection (this=this@entry=0x2b523c0) at /var/build/temp/tmp.waiC6Hcw5s/pbuilder/italc-2.0.22/lib/src/ItalcVncConnection.cpp:644 #4 0x00007f058a33f7f8 in ItalcVncConnection::run (this=0x2b523c0) at /var/build/temp/tmp.waiC6Hcw5s/pbuilder/italc-2.0.22/lib/src/ItalcVncConnection.cpp:524 #5 0x00007f05a9a57d0b in ?? () from /usr/lib/x86_64-linux-gnu/libQtCore.so.4 #6 0x00007f05aca74b50 in start_thread (arg=<optimized out>) at pthread_create.c:304 #7 0x00007f05abf1d70d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112 #8 0x0000000000000000 in ?? () (gdb) up #1 0x00007f058a33a305 in HandleTight32 (client=client@entry=0x32dca00, rx=229, ry=567, rw=309, rh=33) at /var/build/temp/tmp.waiC6Hcw5s/pbuilder/italc-2.0.22/ica/x11/libvncclient/tight.c:134 134 FillRectangle(client, rx, ry, rw, rh, fill_colour); (gdb) print client->frameBuffer $1 = (uint8_t *) 0x0 After patching the libitalc, the segfaults were no longer reproducible. italc-master_2.0.23-1.74.201505010017_XXX.deb italc-client_2.0.23-1.74.201505010017_XXX.deb libitalc_2.0.23-1.74.201505010017_XXX.deb italc-management-console_2.0.23-1.74.201505010017_XXX.deb libitalc-dev_2.0.23-1.74.201505010017_XXX.deb italc-dbg_2.0.23-1.74.201505010017_XXX.deb xml changelog entry has been added
Code-Review: OK, (I hope CopyRectangleFromRectangle() will not cause this again in the future). Packages [i386/amd64]: OK Changelog: OK I could not reproduce the segfault.
UCS@school 4.0 R2 v1 has been released: http://docs.univention.de/release-notes-ucsschool-4.0R2v1-de.html If this error occurs again, please use "Clone This Bug".